You can deny authentication applications CORS access to the PingFederate OAuth authorization endpoint.
Authentication applications must be highly trusted because they have CORS access to the OAuth authorization endpoint /as/authorization.oauth2. They can use an existing session with PingFederate to get tokens for any OAuth client that does not require authentication. Browser-based applications need this level of access to use the redirectless mode.
If your deployment does not need this redirectless mode, you can deny authentication applications CORS access to the OAuth authorization endpoint. Applications will still have CORS access to the /pf-ws/authn/flows endpoint but will not be able to directly retrieve OAuth tokens.